Use cached nwinfo for secgroup rules

This stops a potential DOS with source security groups by using the db cached version of the network info instead of calling out to the network api multiple times. Fixes bug 1184041 Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
openstack · Jul 31, 2013 · 85aac04 · 85aac04
1 parent aca4ef5
commit 85aac04
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 13 deletions.
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
@@ -3658,6 +3658,8 @@ def security_group_rule_get_by_security_group(context, security_group_id):
             filter_by(parent_group_id=security_group_id).
             options(joinedload_all('grantee_group.instances.'
                                    'system_metadata')).
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).
             all())
 
 

diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py
@@ -4504,7 +4504,9 @@ def fake_iptables_execute(*cmd, **kwargs):
         from nova.network import linux_net
         linux_net.iptables_manager.execute = fake_iptables_execute
 
-        _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

diff --git a/nova/tests/virt/xenapi/test_xenapi.py b/nova/tests/virt/xenapi/test_xenapi.py
@@ -2480,8 +2480,9 @@ def test_static_filters(self):
         network_model = fake_network.fake_get_instance_nw_info(self.stubs,
                                                       1, spectacular=True)
 
-        fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
-                                      lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
@@ -19,8 +19,8 @@
 
 from oslo.config import cfg
 
+from nova.compute import utils as compute_utils
 from nova import context
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
@@ -415,16 +415,9 @@ def instance_rules(self, instance, network_info):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                         for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(
-                                ctxt,
-                                instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)
 
                             ips = [ip['address']
                                 for ip in nw_info.fixed_ips()